Insecure Temporary Files - Elixir

Need

Securely store sensitive information

Context

1. Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
2. Usage of Phoenix Framework (1.5+) for building web applications

Description

Insecure Code Example

defmodule TempFilesController do
  use MyAppWeb, :controller
  def write(conn, %{'data' => data}) do
    File.write!('/tmp/temp_file', data)
    send_resp(conn, 200, "Data written to temporary file.")
  end
end

The above code is vulnerable because it writes sensitive information to a temporary file '/tmp/temp_file'. This file is accessible to all other users on the system, and can also be read by any other processes. This exposes the sensitive information to potential unauthorized access and theft.

Steps

1. Avoid saving sensitive information in temporary files.
2. Encrypt sensitive data before saving.
3. Ensure temporary files are securely deleted after use.

Secure Code Example

defmodule SecureStorageController do
  use MyAppWeb, :controller
  def write(conn, %{'data' => data}) do
    encrypted_data = Encryption.encrypt(data)
    {:ok, _} = SecureStorage.put(encrypted_data)
    send_resp(conn, 200, "Data securely stored.")
  end
end

In the secure code example, the sensitive data is first encrypted before being stored, ensuring that even if unauthorized access were to occur, the data would be unreadable without the decryption key. The 'SecureStorage' is a hypothetical secure storage system that should be substituted with an actual secure data storage system in your application.

References

Last updated

2023/09/18